j bens | 28 Jan 19:29 2015
Picon

EOF character in file upload causing mod security to return 403

I have the following form that posts 2 fields and a file.

<form id="uploadNewForm" action="/upload-new" method="POST" enctype="multipart/form-data" novalidate="novalidate">

    <select id="customerNumber" name="customerNumber"><option value="0001">0001</option></select>

    <input id="file" name="file" type="file" value="">

    <input type="submit" value="Upload" name="fileUpload">

    <textarea id="comments" name="comments" maxlength="1000" style="height: 100%;"></textarea> 

</form>

A user recently tried to upload a .pdf file that contained a EOF character within it. This seems to have caused mod-security to reject the request due to

> Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required

I am assuming that mod security is considering the request done once it hits the EOF character.

I do not wish to tell all users that if they get a 403 error to recreate the file in hopes that it doesn't contain the EOF character.

What are my options? Could the browser encode the file somehow by some setting in the html form so modsecurity doesn't see the EOF character? or can mod security be configured to ignore EOF characters until the POST request is truly completed?
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Brian G | 28 Jan 10:28 2015

whitelist IP for specific rule on specific domain

Hello,
We're continuing to have issues with false positives for clients while working on their sites.

I read in the ASL docs that it's possible to create a whitelist rule that is specific to an IP, for a given rule number on a specific domain.

Unfortunately, there wasn't a good example of the syntax to do this.

Can anyone help with an example?

We're also looking for a way users would be able to add their own IP to such rules via their client portal UI, if such a thing is possible without too much customization.

--
Thanks,
Brian
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Fem Rah | 24 Jan 19:07 2015
Picon

Diff between security_module and mod_security2.c

Hi,

Is there any difference between <IfModule security_module> and <IfModule mod_security2.c>?

Thanks,
Femrah.
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Neha Chriss | 24 Jan 08:05 2015
Picon

ARGS_NAMES Whitelist Confusion

Hello

I'm confused regarding how modsec uses the ARGS_NAMES variable. I have an argument name "data[Token][MenuText]" that triggers the following alert. As you can see, the "]" character triggers a positive match for Rule ID 981173:

[Sat Jan 24 06:32:34.870846 2015] [:error] [pid 18432:tid 139760092411648] [client 10.27.4.156] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\ <at> \\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS_NAMES:data[Token][MenuText]. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] 

[data "Matched Data: ] found within ARGS_NAMES:data[Token][MenuText]: data[Token][MenuText]"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "lb.internal.dev"] [uri "/accnt/metadata"] [unique_id "VMM8ggobBLkAAEgAxtEAAAAA"]

I'm generally using the following whitelist format for my application arguments:
SecRule ARGS:user_id "([a-z0-9]-|[0-9a-z])" "id:1110007,phase:1,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.*;ARGS:user_id"

For ARGS_NAMES I've tried the following:

SecRule ARGS_NAMES "!^data[\[][a-zA-Z0-9]+[\]]" "id:1110025,phase:1,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.*"
SecRule ARGS_NAMES "!^(data[\[][A-Za-z]+[\]][\[]([A-Za-z]+|(\s|[\%][2][0]))+[A-Za-z]+[\]])" "id:1110025,phase:1,pass"
SecRule ARGS_NAMES "![*.?]" "id:1110025"
SecRule ARGS_NAMES:data[Tests][ReferralMenuText] "data[\[][A-Za-z]+[\]][\[][A-Za-z]+[\]]" "id:1110025,phase:1,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.*;ARG_NAMES:data[Tests][ReferralMenuText]"

This argument name is similar to others my application uses, so my regex reflects that to some degree. Of course, none of these actually work. A few tries even triggered segfaults. Can anyone suggest an example that will allow me to whitelist my argument names?

Best,
mc




------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
flowdragon@qq.com | 23 Jan 03:38 2015

Looks like memory leakage on nginx 1.6.0/modsecurity 2.8.0

Hi,
    I tested modsecurity 2.8.0 with nginx 1.6.0 over times and found every time when i tested to scan the web, the nginx processes take huge memory and swap resources.

    my problems is :
    1. the huge resources taken by nginx+modsecurity
    2. i drop the remote_addr of banned ip in phase:1, but the requests still phase in phase4 
    
    (problem 1, resources)  i dont know what is the problem, here is my test results which had finished.
    1. nginx with reserve proxy mode
    2. without modsecurity On, the average cpu is 0.4%, memory 115MB, swap 600MB more or less
    3. with On, it takes all the memory (64GB total,) and almost the same size of swap , like 2 processes of nginix with 27GB swap and memory each, or 10GB swap and memory with 5 nginx processes.
    4. it looks like it always happened after ruleID 200005 showed in the log, TX:MSC_PCRE_LIMITS_EXCEEDED
    
    (problem 2, not work in the rules)
#Too many errors,block IP, error 50times, block 3600s

SecRule REMOTE_ADDR " <at> streq %{ip.blocked}" "id:'1',phase:1,drop,log,msg:'IP blocked %{ip.blocked}',expirevar:ip.blocked=3600"

SecRule IP:SCAN_BLOCK_FLAG " <at> ge 1" "id:'250',phase:1,t:none,drop,log,msg:'IP drop %{REMOTE_ADDR}',expirevar:ip.scan_block_flag=3600,setvar:ip.scan_block=+2" 

SecRule RESPONSE_STATUS "^4[0-9][0-9]$" "id:'256',phase:3,t:none,pass,nolog,setvar:IP.scan_block=+1,setvar:ip.scan_deny=+1,"

SecRule IP:SCAN_DENY " <at> ge 40" "id:'31',phase:1,t:none,drop,log,msg:'drop connection of %{REMOTE_ADDR}',setvar:ip.scan_deny=+1,expirevar:ip.scan_deny=1200,setvar:ip.blocked=%{REMOTE_ADDR}"
        #SecRule REMOTE_ADDR " <at> streq %{ip}" 

SecRule IP:SCAN_BLOCK " <at> ge 50" "id:'255',phase:1,t:none,deny,status:401,log,msg:'Scan Detect, IP block %{REMOTE_ADDR}',setvar:!IP.scan_block,setvar:ip.scan_block_flag=1"

SecAction id:'299',phase:5,deprecatevar:ip.scan_block=1/2,deprecatevar:ip.scan_deny=1/2,nolog,pass
   
-------------------------
CPU: Intel(R) Xeon(R) CPU E7-4820 v2 <at> 2.00GHz  * 12 core
MemTotal:       65972856 kB
 Swap: 33054712k total
   
------------------------
nginx version: nginx/1.6.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) 
TLS SNI support enabled
configure arguments: --with-http_gzip_static_module --prefix=/usr/local/nginx --with-http_realip_module --with-http_ssl_module --with-http_stub_status_module --add-module=/usr/local/ngx_cache_purge-2.1 --add-module=/usr/local/health --add-module=../modsecurity/nginx/modsecurity

This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by modsecurity configure 2.8, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  $ ./configure --with-yajl --enable-standalone-module --disable-mlogc --enable-pcre-match-limit=900000 --enable-pcre-match-limit-recursion=900000

-----------------------

flowdragon <at> qq.com
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Fem Rah | 22 Jan 16:44 2015
Picon

mlogc not writing to console

Hi,

I have been struggling with mlogc to work. I built modsecurity 2.7.7 on debian 7.

Now mlogc is not writing to the console., but I can see the data in /var/log/mlogc/data

mlogc error file is:

[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: connected
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: Connected to 85.159.209.7 (85.159.209.7) port 80 (#0)
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: Server auth using Basic with user 'aspis'
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HEADER_OUT PUT /waffle/controller HTTP/1.1
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: additional stuff not fine transfer.c:1037: 0 0
[Thu Jan 22 18:37:20 2015] [5] [12998/7f9a49757100] CURL: DATA_OUT --47dc5277-A--
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: We are completely uploaded and fine
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HTTP 1.1 or later with persistent connection, pipelining supported
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HEADER_IN HTTP/1.1 301 Moved Permanently
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HEADER_IN Date: Thu, 22 Jan 2015 15:37:20 GMT
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HEADER_IN Server: Apache/2.2.22 (Debian)
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HEADER_IN Location: http://XXXXXXXX/waffle/controller/
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HEADER_IN Vary: Accept-Encoding
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HEADER_IN Content-Length: 324
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HEADER_IN Content-Type: text/html; charset=iso-8859-1
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: HEADER_IN
[Thu Jan 22 18:37:20 2015] [5] [12998/7f9a49757100] CURL: DATA_IN <!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] CURL: Connection #0 to host 85.159.209.7 left intact
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] Request returned with status "301 Moved Permanently": VMEYV38AAAEAADLZA58AAAAC
[Thu Jan 22 18:37:20 2015] [2] [12998/7f9a49757100] Flagging server as errored after failure to submit entry VMEYV38AAAEAADLZA58AAAAC with HTTP response code 301: Moved Permanently
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] Sleeping for 50 msec.
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] Worker processing completed.
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] Shutting down due to server error.
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] Worker shutdown locking thread mutex.
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] Worker shutdown unlocking thread mutex.
[Thu Jan 22 18:37:20 2015] [4] [12998/7f9a49757100] Worker thread completed.
[Thu Jan 22 18:37:25 2015] [5] [12998/7f9a49773130] Management thread: Processing

What could be wrong?

Femitha
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Fem Rah | 20 Jan 14:22 2015
Picon

Modsecurity - not writing any debug logs

Hi,

I installed modsecurity 2.8 on debian by building from source, but I can find any debug logs. What could be the reason?

Thanks,
FemRah
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Tim.Einmahl | 20 Jan 09:38 2015
Picon

Limit SecRuleUpdateTargetById to a certain path

Hi,

I would like to know how to run SecRuleUpdateTargetById for a certain path  (REQUEST_FILENAME).

If I want to ignore an argument for a certain rule, I can use: SecRuleUpdateTargetById 123456 "!ARGS:argument1"

But I would like to limit this to a certain path, e.g. /application/foo.

As far as I know, ctl:SecRuleUpdateTargetById is deprecated, I think there is only the option to do it like this:

SecRule REQUEST_FILENAME " <at> beginsWith /application/foo" "id:1000001,phase:1,t:none,nolog,pass,ctl:ruleRemoveByID=123456"

But this would remove the hole rule for this path which is not what I want.

Is there another option to achieve this?

Thanks in advance

Tim

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Ehsan Mahdavi | 19 Jan 19:00 2015
Picon

how important is rule 960015?

Hi, 

I am protecting 15 web sites via different virtual virtual host on a linux box.

Rule 960015 is generating more than 10 thousand alerts in a daily basis.
It also blocks Google, YANADEX and some other good bots.

How important is this rule?
Does it buy me valuable security comparing to the chunk of audit log entries that generates?

Are there any remedies?

Thanks in advance

--
                    regards
                 Ehsan.Mahdavi
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Tim.Einmahl | 19 Jan 12:40 2015
Picon

False Positives

Hi all,

I am getting false positives for some ARGS.

For example:

Message: Warning. Pattern match
"([\\~\\!\\ <at> \\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
at ARGS:toktok. [file
"/etc/modsecurity/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of
special characters exceeded"] [data "Matched Data: - found within ARGS:toktok:
a197f274-75c5-4865-af35-913948618a35"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file
"/etc/modsecurity/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id
"981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=1, XSS=): Restricted SQL Character
Anomaly Detection Alert - Total # of special characters exceeded"]

I know I can use SecRuleUpdateTargetById to exclude the ARG "toktok" from being analysed by this rule, but I
don't think that this is ideal, because it would disable the whole rule for the ARG "toktok".

IMHO a better approach would be to tell modsecurity to allow those 4 "-" but still test ARG "toktok" against
the rule (it could contain other special characters send by an attacker which should be catched).

Is this possible with modsecurity?

Thanks in advance

Tim

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Ehsan Mahdavi | 17 Jan 08:47 2015
Picon

ctl:ruleRemoveTargetById won't work correctly

Dear All, hi

For a specific URI and argument I don't want the rule 960209 to be fired.

The URI is : /fa/views/ajax
I think the argument is: ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]

The rule 960209 checks argument name length. On my setting it will fire if the length is greater than 100.

I wrote a rule like: SecRule "REQUEST_URI" " <at> streq /fa/views/ajax" "phase:1,log,id:2001,t:none,pass,ctl:ruleRemoveTargetById=960209;ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]"

It is fired before the rule 960209 but won't work.

I highlighted these rules on my audit trial.

What is the problem?
Thanks in advance

-- 
                    regards
                      E.M


--VLegPn8AAAEAAFB4UbkAAAEB-A--
[15/Jan/2015:14:40:56 +0330] VLegPn8AAAEAAFB4UbkAAAEB 37.254.173.219 18552 176.101.52.98 80
--VLegPn8AAAEAAFB4UbkAAAEB-B--
POST /fa/views/ajax HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.7,fa;q=0.3
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: mysite
Content-Length: 8050
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: has_js=1

--VLegPn8AAAEAAFB4UbkAAAEB-C--
field_session_date2_value%5Bmin%5D%5Bdate%5D=&field_session_date2_value%5Bmin%5D%5Bdatex_edit_field_session_date2_value_min%5D=1393-10-25&field_session_date2_value%5Bmax%5D%5Bdate%5D=&field_session_date2_value%5Bmax%5D%5Bdatex_edit_field_session_date2_value_max%5D=1393-10-25&view_name=session_news&view_display_id=page_2&view_args=&view_path=session-archivs&view_base_path=session-archivs&view_dom_id=597b60253f25979c3f6421ceff3d1f38&pager_element=0&ajax_html_ids%5B%5D=wrapper&ajax_html_ids%5B%5D=header&ajax_html_ids%5B%5D=logofa&ajax_html_ids%5B%5D=slogan-fa&ajax_html_ids%5B%5D=uni-title&ajax_html_ids%5B%5D=department-fa&ajax_html_ids%5B%5D=dheader&ajax_html_ids%5B%5D=block-search-form&ajax_html_ids%5B%5D=search-block-form&ajax_html_ids%5B%5D=edit-search-block-form--2&ajax_html_ids%5B%5D=edit-actions&ajax_html_ids%5B%5D=edit-submit&ajax_html_ids%5B%5D=block-block-14&ajax_html_ids%5B%5D=main-menu&ajax_html_ids%5B%5D=container&ajax_html_ids%5B%5D=content&ajax_html_ids%5B%5D=breadcrumbs&ajax_html_ids%5B%5D=post-content&ajax_html_ids%5B%5D=views-exposed-form-session-news-page-2&ajax_html_ids%5B%5D=edit-field-session-date2-value-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-inside-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-datepicker-popup-0&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-datex-edit-field-session-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-inside-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-max&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-datepicker-popup-0&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-datex-edit-field-session-date2-value-max&ajax_html_ids%5B%5D=edit-submit-session-news&ajax_html_ids%5B%5D=footer&ajax_html_ids%5B%5D=footer-area&ajax_html_ids%5B%5D=block-block-15&ajax_html_ids%5B%5D=copyright&ajax_page_state%5Btheme%5D=professional_theme&ajax_page_state%5Btheme_token%5D=k8f9oKh7ItaD8TB5aAai0FjBBr5mLTnTdST58LPERsw&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.base.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.base-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.menus.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.menus-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.messages.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.messages-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.theme.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.theme-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.core.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.theme.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.accordion.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.datepicker.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fthemes%2Fjquery.timeentry.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fcomment%2Fcomment.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fcomment%2Fcomment-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_api%2Fdate.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_api%2Fdate-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fthemes%2Fdatepicker.1.7.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate-time-field%2Fcss%2Fsmoothness%2Fjquery-ui-1.8.14.custom.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffield.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffield-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fnode%2Fnode.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fpoll%2Fpoll.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fpoll%2Fpoll-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsearch%2Fsearch.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsearch%2Fsearch-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fuser%2Fuser.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fuser%2Fuser-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fforum%2Fforum.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fforum%2Fforum-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2Fckeditor.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2Fckeditor-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fctools%2Fcss%2Fctools.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus_default.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus_default-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdatex%2Fdatex_popup%2Fdatex_popup.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fsmoothness.calendars.picker.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fstyle.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fstyle-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bpublic%3A%2F%2Fcpn%2Fblock-14.css%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.once.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fdrupal.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.core.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.widget.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.accordion.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.cookie.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.form.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.datepicker.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmodules%2Flocale%2Flocale.datepicker.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fjquery.timeentry.pack.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fajax.js%5D=1&ajax_page_state%5Bjs%5D%5Bpublic%3A%2F%2Flanguages%2Ffa_BNMes1sG4z0w_DbIK9uy6lL3jNXwx-Job66BivlN1tA.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fsuperfish.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fjquery.bgiframe.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fjquery.hoverIntent.minified.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fjs%2Fbase.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fprogress.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fjs%2Fajax_view.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.all.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.lang.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.picker.lang.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.persian.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.persian-fa.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fdatex%2Fdatex_popup%2Fdatex_popup.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fjs%2Fcustom.js%5D=1
--VLegPn8AAAEAAFB4UbkAAAEB-E--

--VLegPn8AAAEAAFB4UbkAAAEB-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.16
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 15 Jan 2015 10:16:58 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1421317018"
Content-Type: application/json; charset=utf-8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked

--VLegPn8AAAEAAFB4UbkAAAEB-H--
Message: Warning. String match "/fa/views/ajax" at REQUEST_URI. [file "/opt/modsec/facu/etc/active/11035.conf"] [line "3"] [id "2001"]
Message: Warning. String match "/fa/views/ajax" at REQUEST_URI. [file "/opt/modsec/facu/etc/active/11035.conf"] [line "5"] [id "2002"]
Message: Warning. Operator GT matched 100 at ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]. [file "/etc/modsecurity/23001.conf"] [line "23"] [id "960209"] [rev "2"] [msg "Argument name too long"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/SIZE_LIMIT"]
Message: Warning. Operator LT matched 9 at TX:inbound_anomaly_score. [file "/etc/modsecurity/60001.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=0, XSS=0): Argument name too long"]
Apache-Handler: proxy-server
Stopwatch: 1421320254300902 1867389 (- - -)
Stopwatch2: 1421320254300902 1867389; combined=676477, p1=1617, p2=673800, p3=7, p4=259, p5=568, sr=202, sw=226, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "DETECTION_ONLY"

--VLegPn8AAAEAAFB4UbkAAAEB-K--
SecAction "phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"

SecAction "phase:1,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass"

SecAction "phase:1,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=9,setvar:tx.outbound_anomaly_score_level=5,nolog,pass"

SecAction "phase:1,id:900004,t:none,setvar:tx.anomaly_score_blocking=on,nolog,pass"

SecAction "phase:1,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass"

SecAction "phase:1,id:900007,t:none,setvar:tx.arg_name_length=100,nolog,pass"

SecAction "phase:1,id:900008,t:none,setvar:tx.arg_length=400,nolog,pass"

SecAction "phase:1,id:900009,t:none,setvar:tx.total_arg_length=64000,nolog,pass"

SecAction "phase:1,id:900010,t:none,setvar:tx.max_file_size=1048576,nolog,pass"

SecAction "phase:1,id:900011,t:none,setvar:tx.combined_file_sizes=1048576,nolog,pass"

SecAction "phase:1,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',setvar:tx.allowed_request_content_type=application/json|application/x-amf|application/x-www-form-urlencoded|application/xml|multipart/form-data|text/xml,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.dos/ .dll/ .cmd/ .cer/ .bat/ .bak/ .backup/ .dll/ .cer/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass"

SecAction "phase:1,id:900015,t:none,setvar:tx.dos_burst_time_slice=20,setvar:tx.dos_counter_threshold=60,setvar:tx.dos_block_timeout=300,nolog,pass"

SecRule "REQUEST_HEADERS:User-Agent" " <at> rx ^(.*)$" "phase:1,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass"

SecRule "&TX:REAL_IP" " <at> eq 0" "phase:1,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass"

SecRule "REQUEST_URI" " <at> streq /fa/views/ajax" "phase:1,log,id:2001,t:none,pass,ctl:ruleRemoveTargetById=960209;ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]"

SecRule "REQUEST_URI" " <at> streq /fa/views/ajax" "phase:1,log,id:2002,t:none,pass,ctl:ruleRemoveById=981173"

SecRule "REQUEST_METHOD" " <at> rx ^POST$" "phase:1,log,msg:'POST request missing Content-Length Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"
#SecRule "&REQUEST_HEADERS:Content-Length" " <at> eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"

SecRule "&TX:MAX_FILE_SIZE" " <at> eq 1" "phase:1,log,chain,t:none,block,msg:'Uploaded file size too large',id:960342,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "REQUEST_HEADERS:Content-Type" " <at> beginsWith multipart/form-data" "chain"
#SecRule "REQUEST_HEADERS:Content-Length" " <at> gt %{tx.max_file_size}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "! <at> rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,log,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}"
SecRule "REQUEST_HEADERS:Content-Type" " <at> rx ^([^;\\s]+)" "chain,capture"
#SecRule "TX:0" "! <at> rx ^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS:Content-Type" " <at> rx ^(application\\/x-www-form-urlencoded|text\\/xml)(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$" "phase:2,log,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:950108,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4"
SecRule "REQUEST_BODY|XML:/*" " <at> rx \\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
#SecRule "REQUEST_BODY|XML:/*" " <at> validateUrlEncoding " "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "! <at> rx ^OPTIONS$" "phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Missing an Accept Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
#SecRule "&REQUEST_HEADERS:Accept" " <at> eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "! <at> rx ^OPTIONS$" "phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request Has an Empty Accept Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"
#SecRule "REQUEST_HEADERS:Accept" " <at> rx ^$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "&TX:ARG_NAME_LENGTH" " <at> eq 1" "phase:2,log,chain,t:none,block,msg:'Argument name too long',id:960209,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
SecRule "ARGS_NAMES" " <at> gt %{tx.arg_name_length}" "t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "&TX:ARG_LENGTH" " <at> eq 1" "phase:2,log,chain,t:none,block,msg:'Argument value too long',id:960208,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "ARGS" " <at> gt %{tx.arg_length}" "t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"


Other non disruptive rules! <the complete audit trial is available as attachment>

--VLegPn8AAAEAAFB4UbkAAAEB-Z--
Attachment (audit-event.rar): application/rar, 7477 bytes
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane